---
title: OPA
description: Adapter that implements an Open Policy Agent engine.
location: https://istio.io/docs/reference/config/policy-and-telemetry/adapters/opa.html
layout: protoc-gen-docs
generator: protoc-gen-docs
supported_templates: authorization
aliases:
  - /docs/reference/config/adapters/opa.html
number_of_entries: 1
---
<p>The <code>opa</code> adapter exposes an <a href="http://www.openpolicyagent.org">Open Policy Agent</a> engine
that provides sophisticated access control mechanisms.</p>

<p>This adapter supports the <a href="https://istio.io/docs/reference/config/policy-and-telemetry/templates/authorization/">authorization template</a>.</p>

<h2 id="Params">Params</h2>
<section>
<p>Configuration format for the <code>opa</code> adapter.</p>

<p>Example configuration:</p>

<pre><code class="language-yaml">policy:
  - |+
    package mixerauthz
    policy = [
      {
        &quot;rule&quot;: {
          &quot;verbs&quot;: [
            &quot;storage.buckets.get&quot;
          ],
          &quot;users&quot;: [
            &quot;bucket-admins&quot;
          ]
        }
      }
    ]

    default allow = false

    allow = true {
      rule = policy[_].rule
      input.subject.user = rule.users[_]
      input.action.method = rule.verbs[_]
    }
checkMethod: &quot;data.mixerauthz.allow&quot;
failClose: true
</code></pre>

<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Params-policy">
<td><code>policy</code></td>
<td><code>string[]</code></td>
<td>
<p>List of OPA policies</p>

</td>
<td>
No
</td>
</tr>
<tr id="Params-check_method">
<td><code>checkMethod</code></td>
<td><code>string</code></td>
<td>
<p>Query method to check.
Format: <code>data.&lt;package name&gt;.&lt;method name&gt;</code></p>

</td>
<td>
No
</td>
</tr>
<tr id="Params-fail_close">
<td><code>failClose</code></td>
<td><code>bool</code></td>
<td>
<p>Close the client request when adapter has a issue.
If failClose is set to true and there is a runtime error,
instead of disabling the adapter, close the client request</p>

</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
